[144510] in North American Network Operators' Group
Re: Why are we still using the CA model? (Re: Microsoft deems all
daemon@ATHENA.MIT.EDU (Tony Finch)
Mon Sep 12 18:01:36 2011
Date: Mon, 12 Sep 2011 23:00:47 +0100
From: Tony Finch <dot@dotat.at>
To: Michael Thomas <mike@mtcc.com>
In-Reply-To: <4E6E20C7.9030905@mtcc.com>
Cc: North American Network Operators' Group <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
> > > > with dane, i trust whoever runs dns for citibank to identify the cert
> > > > for citibank. this seems much more reasonable than other approaches,
> > > > though i admit to not having dived deeply into them all.
> > > If the root DNS keys were compromised in an all DNS rooted world...
> > > unhappiness would ensue in great volume.
Compromise of DNSSEC == compromise of one or more DNS registries.
This is a fate sharing situation. A few single points of failure
rather than hundreds.
Note that a big weak point in the DNS is the interface between the
registrars and the registry. If you have a domain you have to trust the
registry to impose suitable restrictions on its registrars to prevent a
dodgy registrar from stealing your domain. Another, of course, is the
interface between a registrar and its customers.
> It also drives up complexity too and makes you wonder what the added
> value of those cert vendors is for the money you're forking over.
During rollout the cert vendors will be providing backwards compatibility.
> Especially when you consider the criticality of dns naming for everything
> except web site host names using tls.
If a website using TLS loses its DNS then (a) you can't reach it, and (b)
the attacker can trivially obtain a new domain validated certificate.
Tony.
--
f.anthony.n.finch <dot@dotat.at> http://dotat.at/
Fisher, German Bight, Humber, Thames, Dover: Southwest 7 to severe gale 9.
Rough or very rough, becoming high in Fisher. Showers. Moderate or good.
